I'm trying to run the script setup_p2.sh for the fast.ai course. I keep getting this error:
An error occurred (UnauthorizedOperation) when calling the CreateVpc
operation: You are not authorized to perform this operation.
NOTE: setup_p2.sh was NOT available at the stated location, but I found it by cloning this repo: https://github.com/fastai/courses
I finally found the solution: Amazon changed the permissions screens when setting up the IAM (Identity Access Management) account. I solved it by creating a new security group with the "AdministratorAccess" permission, and adding that user to that group. Works now.
Related
I am trying to upload a new AWS GameLift Linux server using the AWS CLI but I get the following error:
An error occurred (AccessDeniedException) when calling the CreateBuild operation: User: arn:aws:iam::------:user/----- is not authorized to perform: gamelift:CreateBuild because no identity-based policy allows the gamelift:CreateBuild action
I added the arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy to my group permissions. I can see in the policy json that there isn't a CreateBuild action. It either needs to be added or you can't do it this way.
The AWS documentation is useless and on this page: https://docs.aws.amazon.com/gamelift/latest/developerguide/security_iam_troubleshoot.html#security_iam_troubleshoot-no-permissions
it helpfully advises: ... asks his administrator to update his policies
My user is the main root user for my AWS account but I have no idea how to resolve this. Any ideas?
I worked out how to create a new Policy and add the service permissions. You click on 'create policy' and then choose the 'GameLift' service. I added all the available actions. Seemed to do the trick.
Why did AWS miss this out of the documentation?
So I've just been handed over to a project using AWS and gitlab. The pipeline was working before but then we moved the organization into another larger organization (Not sure if this is relevant or not).
But I'm getting the error
(UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
How do I get the ECR_AWS_ACCESS_KEY_ID and ECR_AWS_SECRET_ACCESS_KEY from a particular IAM User?
The error indicates that the credentials used by the pipeline are not valid.
How do I get the ECR_AWS_ACCESS_KEY_ID and ECR_AWS_SECRET_ACCESS_KEY from a particular IAM User?
There's no such thing. You should be using AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Setup an IAM user with programmatic access with the required permissions and then use the credentials associated with said user.
I am having trouble creating ec2 instances with my IAM role.
The permissions I gave are
List
DescribeInstances
DescribeKeyPairs
Read
DescribeTags
Tagging
CreateTags
Write
CreateKeyPair
DeleteKeyPair
ImportKeyPair
RunInstances
TerminateInstances
The error is
error while describing instance(...) attribute (instanceInitiatedShutdownBehaviour): UnnauthorizedOperation: You are no authorized to perform this operation.
However, on the AWS console, the ec2 instance is created. I am unable to terraform destroy it due to the same error.
It works if I give full ec2 access (ec2:*) so it has nothing to do with my terraform code.
Thank you.
I went through the same error and it is because of lack of permission. In the error:
error while describing instance(...) attribute (instanceInitiatedShutdownBehaviour): UnnauthorizedOperation: You are no authorized to perform this operation.
the UnnauthorizedOperation is trying to describe an instance attribute since you do not have the ec2:DescribeInstanceAttribute permission.
Depending on how your terraform config looks like for the instances, you may require more permissions. You can enable debug logs in your apply command to get more information:
TF_LOG=DEBUG terraform apply
Use the visual policy editor to add permissions to your IAM role and look out for
Action Warnings. It will tell you if you are missing any permissions required by the existing permission.
I am trying to allocate the roles to the user in the Terraform file in a GCP project, but I am getting the below error :
Error: Request "Create IAM Members roles/compute.networkAdmin user:someone#google.com for "project \"vibrant-mantis-296207\""" returned error: Batch request and retried single request "Create IAM Members roles/compute.networkAdmin user:someone#google.com for "project \"vibrant-mantis-296207\""" both failed. Final error: Error applying IAM policy for project "vibrant-mantis-296207": Error setting IAM policy for project "vibrant-mantis-296207": googleapi: Error 403: Policy update access denied., forbidden
I used the below piece of code :
module "projects_iam_bindings" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 6.4"
projects = ["vibrant-mantis-296207"]
bindings = {
"roles/storage.admin" = [
"user:someone#google.com",
]
"roles/compute.networkAdmin" = [
"user:someone#google.com",
]
The user/service-account that Terraform is using for authorization does not have the permission resourcemanager.projects.setIamPolicy.
The solution is to edit the IAM permissions for the user/service-account to include a role which as that permission.
Example roles with the permission resourcemanager.projects.setIamPolicy:
roles/iam.securityAdmin
roles/resourcemanager.projectIamAdmin
roles/resourcemanager.folderAdmin
roles/resourcemanager.organizationAdmin
Granting, changing, and revoking access to resources
On the Google Cloud Platform go to IAM, in IAM & Admin select your terraform service yourproject.iam.gserviceaccount.com and add/change the role to Owner.
In the console, run your terraform command(s) again and it should be fixed.
Commands:
terraform init
terraform plan
terraform apply
Found this via google because I got
Error:
Request `Create IAM Members roles/artifactregistry.reader
serviceAccount:mvp-service-account#[[project]].iam.gserviceaccount.com for project "[[project]]"` returned error:
Error retrieving IAM policy for project "[[project]]":
googleapi: Error 403: The caller does not have permission, forbidden
Turns out, I had a typo in my project name and got the error due to this. Hope this helps anyone.
I have a function (Node.js 8.10) in us-west-2 and I am unable to attach the layer arn:aws:lambda:us-east-1:553035198032:layer:git:3. I get the following error message upon save:
You are not authorized to perform: lambda:GetLayerVersion.
I have the AWSLambdaFullAccess managed policy attached to my user, and even the persons with AdministratorAccess get the same error. I also checked in the policy simulator and it specifies that this permission IS allowed to be run by myself and the Administrator users.
Any ideas as to what I might be doing wrong?
REGION MISMATCH
I followed the README here, but failed to notice the region difference, nor the Version ARNs section that implies the package author has created the layer in multiple regions.